tools(oauth-draft): port Gmail OAuth helpers into framework#4
Merged
Conversation
Ports the three Gmail OAuth scripts that previously lived at `airflow-s/airflow-s:tools/gmail/oauth-draft/` into the framework as an installable Python project, mirroring the shape of the `generate-cve-json` port (PR #2). The tool was already largely project-agnostic — the only adopter- specific bit was the default credentials path (`~/.config/airflow-s/gmail-oauth.json`), which was a holdover from when the tracker repo was named `airflow-s`. It now defaults to `~/.config/apache-steward/gmail-oauth.json`, aligning with the `<project-config>/apache-steward/` submodule convention. Files added: - `tools/gmail/oauth-draft/pyproject.toml` — three console scripts (`oauth-draft-setup`, `oauth-draft-create`, `oauth-draft-mark-read`). `google-auth-oauthlib` is the only runtime dep (used by setup); the other two commands are stdlib-only. - `tools/gmail/oauth-draft/src/oauth_draft/credentials.py` — shared `Credentials` dataclass, `locate_credentials` resolution, and `refresh_access_token` so the three commands don't duplicate the OAuth boilerplate. - `tools/gmail/oauth-draft/src/oauth_draft/{setup_creds,create_draft, mark_threads_read}.py` — one module per command, each with a thin `main(argv)` callable used by both the console-script entry point and the test suite. - `tools/gmail/oauth-draft/src/oauth_draft/__init__.py` — re-exports the three `main` functions. - `tools/gmail/oauth-draft/tests/{__init__,test_credentials, test_create_draft,test_mark_threads_read}.py` — 22 tests covering credential loading, path resolution, MIME building, the pure thread-header helper, and arg-parsing defaults. No tests hit the Gmail API. The originals carried no tests; this thin set gives the pre-commit `pytest` hook real coverage. - `tools/gmail/oauth-draft/README.md` — Run / Setup / How threading is guaranteed / Test / Lint sections, mirroring the generate-cve-json README. The one-time OAuth setup walkthrough that used to live in the airflow-s `oauth-draft/README.md` is folded in here. - `tools/gmail/oauth-draft/{.gitignore,uv.lock}` — standard. Files updated: - `.pre-commit-config.yaml` — added the four `oauth-draft-*` hooks (ruff-check, ruff-format, mypy, pytest), scoped to `^tools/gmail/oauth-draft/(src|tests|pyproject\.toml)`. - `tools/gmail/{draft-backends,operations}.md` — switched legacy script-path references (`tools/gmail/oauth-draft/create_draft.py`, `setup_credentials.py`) to the console-script invocation form (`uv run --project <framework>/tools/gmail/oauth-draft oauth-draft-*`). Default credentials path updated to `~/.config/apache-steward/gmail-oauth.json`. - `.claude/skills/{sync,allocate-cve,import,invalidate}- security-issue/SKILL.md` — same default-path update; the sync skill also gets the console-script invocation. Test plan: - 22 tests pass against the new suite. - All four pre-commit hooks pass (ruff/ruff-format/mypy/pytest) plus the standard repo hooks (doctoc, end-of-file-fixer, etc.). - All three console scripts respond to `--help` correctly. Coordination: A follow-up PR against `airflow-s/airflow-s` will delete the local `tools/gmail/oauth-draft/` scripts there (they live in the framework now via submodule) and update local references to point at the framework copy. Existing airflow-s users with credentials at the old `~/.config/airflow-s/gmail-oauth.json` path can either move the file to `~/.config/apache-steward/` or set `\$GMAIL_OAUTH_CREDENTIALS` — that follow-up PR's body will flag this. Generated-by: Claude Code (Claude Opus 4.7)
Merged
2 tasks
potiuk
added a commit
that referenced
this pull request
May 30, 2026
…erns from session manual cleanups (#402) Per direct observations from the airflow-s 2026-05-29/30 bulk sync — two recurring title-noise patterns were cleaned manually that the existing cascade did not catch: 1. Trailing prior-CVE-relationship parentheticals — the cross-CVE relationship is structurally captured by the Gate #3 cross-CVE clause in the public summary; embedding the relationship in the title is noise to downstream advisory consumers. Catches every shape observed in this session: - `(CVE-YYYY-NNNNN)` - `(possible CVE-YYYY-NNNNN variant)` — from #345 - `(incomplete fix for CVE-YYYY-NNNNN)` — from #351 - `(fix-bypass of CVE-YYYY-NNNNN)` — from #352 - and any other `(... CVE-YYYY-NNNNN ...)` shape 2. Trailing reporter-name attribution parentheticals — reporter attribution lives in the credits field, never in the public title. Pattern matches `(<name> follow-up)` where `<name>` matches name-like tokens (word chars, dots, hyphens, single inline spaces) to avoid over-stripping substantive technical content. Catches: - `(Evan Ricafort follow-up)` — from #346 Substantive technical parentheticals stay intact — e.g. the operator- name list `(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on the GCS path-traversal tracker is NOT stripped (it lacks a CVE ID and doesn't end in `follow-up`). The matching Step 1d signal row in security-issue-sync now enumerates the two new patterns so the proposal-time detector and the pre-push Gate #4 stay in lock-step with the cascade. Validated against 9 cases: 4 session-derived fixes (all pass), 3 synthetic CVE-relationship variants (all pass), 1 substantive technical parenthetical (preserved correctly), 1 "<word> follow-up" edge case (stripped as designed — narrow scope acceptable since "follow-up" titles in airflow-s are exclusively reporter-attribution). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
potiuk
pushed a commit
that referenced
this pull request
Jul 3, 2026
…ymise historical dev-list reference (#696) * fix(pr-management-triage): generalise security-list coupling and anonymise historical dev-list reference Low-confidence asf-coupling pass (spec-loop work item #4). - comment-templates.md: replace hardcoded `security@apache.org` with `<security-list>` placeholder; remove ASF-specific URL from security vulnerability-handling prose; remove internal "dev@ thread with Elad" cross-reference - rationale.md: anonymise motivating-problem paragraph — project-specific mailing list name and individual names replaced with generic phrasing - SKILL.md: remove "dev@ thread with Elad" reference from triage_feedback_channel description - specs/project-agnosticism.md: extend Known Gaps entry to document the specific fixes made in this pass The validator already produces 0 asf-coupling warnings (org-scoped skills are suppressed by the `organization: ASF` frontmatter added in 0073ae8). The real coupling was in sub-documents not checked by the validator — `comment-templates.md` is posted verbatim to GitHub PRs, so a hardcoded `security@apache.org` was a genuine blocker for non-ASF adopters. `<security-list>` resolves from `<project-config>/project.md` → `mailing_lists.security` at run time. Generated-by: Claude (Opus 4.7) * fix issue with unreleated README file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the three Gmail OAuth scripts that previously lived at
airflow-s/airflow-s:tools/gmail/oauth-draft/into the framework as an installable Python project, mirroring the shape of thegenerate-cve-jsonport (#2).The tool was already largely project-agnostic — the only adopter-specific bit was the default credentials path (
~/.config/airflow-s/gmail-oauth.json), a holdover from when the tracker repo was namedairflow-s. It now defaults to~/.config/apache-steward/gmail-oauth.json, aligning with the<project-config>/apache-steward/submodule convention.Files added
tools/gmail/oauth-draft/pyproject.toml— three console scripts (oauth-draft-setup,oauth-draft-create,oauth-draft-mark-read).google-auth-oauthlibis the only runtime dep (used by setup); the other two commands are stdlib-only.tools/gmail/oauth-draft/src/oauth_draft/credentials.py— sharedCredentialsdataclass,locate_credentialsresolution,refresh_access_token, so the three commands don't duplicate the OAuth boilerplate.tools/gmail/oauth-draft/src/oauth_draft/{setup_creds,create_draft,mark_threads_read}.py— one module per command, each with a thinmain(argv)callable used by both the console-script entry point and the test suite.tools/gmail/oauth-draft/src/oauth_draft/__init__.py— re-exports the threemainfunctions.tools/gmail/oauth-draft/tests/{__init__,test_credentials,test_create_draft,test_mark_threads_read}.py— 22 tests covering credential loading, path resolution, MIME building, the pure thread-header helper, and arg-parsing defaults. No tests hit the Gmail API. The originals carried no tests; this thin set gives the pre-commitpytesthook real coverage.tools/gmail/oauth-draft/README.md— Run / Setup / How threading is guaranteed / Test / Lint sections, mirroring the generate-cve-json README. The one-time OAuth setup walkthrough that used to live in the airflow-soauth-draft/README.mdis folded in here.tools/gmail/oauth-draft/{.gitignore,uv.lock}— standard.Files updated
.pre-commit-config.yaml— added the fouroauth-draft-*hooks (ruff-check, ruff-format, mypy, pytest), scoped to^tools/gmail/oauth-draft/(src|tests|pyproject\.toml).tools/gmail/{draft-backends,operations}.md— switched legacy script-path references (tools/gmail/oauth-draft/create_draft.py,setup_credentials.py) to the console-script invocation form (uv run --project <framework>/tools/gmail/oauth-draft oauth-draft-*). Default credentials path updated to~/.config/apache-steward/gmail-oauth.json..claude/skills/{sync,allocate-cve,import,invalidate}-security-issue/SKILL.md— same default-path update; the sync skill also gets the console-script invocation.Test plan
--helpcorrectly.Coordination
A follow-up PR against
airflow-s/airflow-swill delete the localtools/gmail/oauth-draft/scripts there (they live in the framework now via submodule). Existing airflow-s users with credentials at the old~/.config/airflow-s/gmail-oauth.jsonpath can either move the file to~/.config/apache-steward/or set\$GMAIL_OAUTH_CREDENTIALS— that follow-up PR's body will flag this.🤖 Generated with Claude Code